Deep packet inspection used to stop censorship in new “Telex” scheme

University of Michigan researchers have developed technology that silently …

The Internet has become so economically important that few countries can afford to cut off access altogether. Instead, repressive regimes allow 'Net access, but try to block individual websites they don't want their populations to see. Some users, aided by allies in the West, use circumvention technologies like Web proxies or TOR to access forbidden information. This has led to a long-running cat-and-mouse game in which censorship opponents establish new proxies while censors race to identify and block them.

Researchers at the University of Michigan have developed technology that they hope can decisively tilt the playing field toward free speech. Their system, called Telex, is an "end-to-middle" proxy scheme. That is, rather than explicitly directing traffic to a proxy server, users "tag" traffic they want proxied and transmit it to an ordinary website that happens to have a Telex-enabled router between it and the user. The router recognizes the tag and silently redirects the packets to their real destination.

The trick is that the tags need to be encoded in a way that the Telex system can detect but that the censor cannot. Otherwise, the censor would simply block tagged traffic.

The system accomplishes this using a clever tweak to the TLS handshake that occurs whenever a browser initiates an encrypted Web connection. One of the steps in that handshake requires the client to choose a random bit string known as a "nonce." If a client wants Telex to redirect the connection, it uses Telex's public key to generate a steganographic "tag." The tag format is carefully chosen so that someone who knows the Telex private key will be able to recognize the tag efficiently—but no one else will be able to distinguish it from a random string.

The Telex system consists of "stations" connected to routers at various points in the Internet's architecture. The stations use deep packet inspection to monitor all the TLS handshakes that go across the wire and look for nonces that are Telex tags. Once the Telex station sees a tag, it hijacks the connection, sending a TCP reset command to the original destination and serving as a proxy between the client and its actual destination.

The beauty of this scheme, if implemented well, is that from the perspective of a censor near the end user, a Telex-proxied connection is indistinguishable from ordinary communication with a website that the censor considers innocuous. The authors envision a large-scale deployment in which most network routes out of the target country includes at least one Telex-enabled router. Then the censor won't have any way to prevent, or even detect, traffic to websites it wishes to block—unless it cuts off all access to the Internet beyond its borders.

Could this be done at the scale required by real-world ISPs? "Widescale Telex deployment will likely require Telex stations to scale to thousands of concurrent connections, which is beyond the capacity of our prototype," the authors write.

But Alex Halderman, the Michigan computer science professor who led the Telex team, told Ars that the technology is very amenable to distributed approaches, which the team plans to investigate in future work. Also, the fact that Telex is implemented as separate devices attached to routers, rather than a function of the router itself, means Telex will "fail open." That is, if a station gets overwhelmed, the router will revert to the behavior of an ordinary, non-Telex router.

Who will deploy it?

Halderman said that once the engineering details are ironed out, government help will likely be needed to get a system like Telex off the ground. There's no obvious market incentive to adopt a system like Telex, but its deployment could serve the diplomatic interests of liberal democracies. So Western governments could provide subsidies, tax breaks, or other incentives for their domestic ISPs to participate. The cost of adopting Telex "would be relatively moderate compared to other international relations scale activities that governments do," Halderman said.

Governments can also provide political cover. "ISPs might not want to jump on board with this unless they know that other ISPs are going to do so," he said. "If you're a company that has international business, you're not going to want to be singled out." However, he said, if a Western government persuaded all of its ISPs to adopt Telex simultaneously, it would be much more difficult for repressive regimes to retaliate against any single ISP.

Timothy B. Lee / Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times.